1. Field of the Invention
The present invention is related to computer systems management software, and more particularly to a password aging mechanism that considers the strength of the password and can be managed by user policy settings.
2. Description of Related Art
Workstation and systems password management is a pervasive problem. While it is typically desirable from a user's point-of-view to provide or permit the user to set a limited number of passwords or a single password that contains few characters and/or is easy for the user to remember, simple passwords are much easier to break using trial-and-error or other systematic attacks. Less simple passwords that are based on personally memorable concepts may be easily compromised if the underlying concept is known to be associated with the user that “owns” the password and are generally more susceptible to dictionary attacks, in which a dictionary of words is repetitively tried until access is granted.
In order to avoid the possibility of unauthorized access through breaking a user's password, two prevalent rules are applied: 1) the password must have a minimum level of “strength” (i.e., complexity); and 2) passwords are typically “expired” periodically. When a password is expired, a user is required to provide a new password or, in systems in which passwords are automatically generated, a new password is issued to replace the expired password. Password strength is computed based on rules that typically take into account the length of the password and the types of symbols and/or letter-case of characters included in the password.
The above-described strength requirement and password expiration techniques are frequently applied in combination. However, the two techniques are not typically inter-related. The typical password expiration technique “ages” all passwords equally, further increasing the motivation for a user to choose a password of minimum strength as the expiration period decreases, as the user will ideally need to memorize a new password more frequently. For automatically generated passwords, if passwords expire frequently, then a user is possibly more likely to generate and/or keep a written record of the password for a longer period of time. The user also typically has no control at all over the aging and the strength determinations, which are generally dictated by the security subsystem in their workstation and/or network sites and applications to which the user connects.
Therefore, it would be desirable to provide a password aging technique that does not tempt users to select weak passwords or maintain long-term written records of passwords, and provides a level of user control over the password aging and/or the password strength computation processes.